GDPR effects on Gift Aid Presented by Keren Caird Business Development Gift Aid Manager Sue Ryder
Accountability Processed lawfully, fairly and in a transparent manner Collected for specified, explicit and legitimate purposes Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed Accurate, kept up to date
Accountability Kept in a form which permits identification of data subjects for no longer than necessary for the purpose for which the data is processed Security the controller shall be responsible for, and be able to demonstrate, compliance with the principles
Lawful processing For processing to be lawful under the GDPR, you need to identify a lawful basis for processing data and document this Processing is necessary for compliance with legal obligation - Gift Aid
Individuals Rights The right to be informed provide fair processing information typically through a privacy notice. The information must be consise, transparent, intelligible and easily accessible, written in clear and plain language
The Right to be informed Information that must be supplied at the time the data is obtained privacy statement Identify and contact details of the data controller Purpose for the processing and lawful basis for the processing The legitimate interests of the controller Any recipient of the personal data
Right to be informed Information that must be provided at the time the data is obtained privacy statement Retention period The existence of each of data subject s rights The right to withdraw consent at any time, where relevant The right to lodge a complaint with the ICO The existence of automated decision making, including profiling
The right of access Individuals will have the right to obtain Confirmation that their data is being processed Access to their personal data Provide this information free of charge This information must be provided within one month of receipt
The right of access You must verify the identity of the person making the request using reasonable means If the request is made electronically, you should provide the information in electronic format Recommendation to provide remote access to a secure self service system
The right to rectification Individuals are entitled to have personal data rectified if it is in inaccurate or incomplete If you have disclosed the personal data, in question, to third parties, you must inform them of the rectification, where possible You must respond within one month
The right to erasure or right to be forgotten Does not provide an absolute right to be forgotten. Individuals have a right to have personal data erased if The data is no longer necessary in relation to the purpose for which is was originally collected/processed When the individual withdraws consent
The right to erasure or right to be forgotten Does not provide an absolute right to be forgotten. Individuals have a right to have personal data erased if When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing The data was unlawfully processed The personal data has to be erased to comply with legal obligation
The right to erasure or right to be forgotten You can refuse to comply with a request to comply with a legal obligation Gift Aid
The right to object Individuals have the right to object to Processing based on legitimate interests Direct marketing Processing for purposes of scientific/historical research and statistics
The right to object You must stop processing personal data unless: you can demonstrate compelling legitimate grounds for processing the processing is for the establishment, exercise or defence of legal claims You must stop processing data for direct marketing as soon as you receive an objection
Accountability and Governance Requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility. Implement appropriate technical and organisational measures that ensure and demonstrate that you comply Maintain relevant documentation on processing activates
Breach notification A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data. inform the relevant supervisory authority Inform those concerned directly 72 hours to report serious breach
Communicating Privacy Information Privacy Statement must contain - Lawful basis for processing Retention periods The right to complain to ICO Lawful Basis compliance, accountability Legitimate Interest
GDPR - Consent Consent must be a freely given, specific, informed and unambiguous indication of the individuals wishes. There must be some form of clear affirmative action, a positive opt in. Consent can not be inferred from silence, pre-ticked boxes or inactivity. Must be separate from other terms and conditions You can rely on other lawful bases apart from consent, example where processing is necessary for legitimate interests Separate communication for opt in and opt out
GDPR consent checklist Check that consent is the most appropriate lawful basis for processing Make the request for consent prominent and separate from your terms & conditions Ask for positive opt in Don t use any type of consent by default Specify why you want the data and what you are going to do with it Give granular options to consent
GDPR consent checklist Name your organisation and any third parties Inform individuals they can withdraw their consent Ensure they can refuse consent without detriment Do not make consent a precondition of a service Keep a record of when and how consent was given by an individual, or withdrawn Keep a record of exactly what they were told at the time
What we need to consider Greater control transparency for opt in Purpose of communication Newsletter Events Fundraising Campaigning
What we need to consider Greater control transparency for opt in Communication by what method Post Email Telephone SMS Social media
HMRC - Compliance Retention period 6 years for audit purposes Enduring declaration forms Up to date records Communicating with donors notification for standard method, end of year statements for method A & B
What we need to consider HMRC legal Analysis we are not Data Controllers in common with HMRC HMRC Privacy Statement - as we are passing our data to them. Link Gov.UK website Transparently & Accountability Legitimate Interest sharing information, will they share with us? Yes on a individual basis if necessary for tax compliance purposes
What we need to consider Right to be forgotten - under Legal obligation we have to retain donor details for 6 years ICO comment we can refuse to delete donor records in order to comply with Legal Obligations. Need to make donors aware transparency
What we need to consider Consent need to ask donors to update their details ie change of address for opt in and outs ICO comment Can ask donors to keep their records up to date by post to comply with legal obligations, but not by email, as this needs consent. Need to give the donor greater control
Clear Guidance On legal obligation, charities are under a legal obligation to obtain and retain certain personal data in relation to claims for Gift Aid. However, they are not under a legal obligation to solicit donations. So any data processing that underpins those activities will be on the basis of legitimate interests and are decisions for individual charities to make for themselves.
Clear Guidance Donor giving us their gift aid details - consent We making a claim to HMRC - is covered by legal obligation. We can't rely on consent, as they could withdraw it, but it is in our interests to get more money, so this is our legitimate interest. Unless we have money we can't provide our services. Keeping the details for 6 years - legal obligation And although there can be all these different legal bases for the different parts of the process, the one we can use to cover all of it, is legitimate interests.
Clear Guidance Data minimisation HMRC s expectations on record keeping for audit purposes only, and explicitly that after this has elapsed those records are destroyed. Storage limitations Data being held in regard of enduring GAD s. Retention periods for non active donors should be considered. We should not be holding data for longer than necessary.
Clear Guidance Clear information in your Privacy Statements to inform the donor of What you are collecting the data for How long it will be retained Who it will be shared with 3 rd parties Data Cleansing - matching with national records Royal Mail redirect etc